I write to you seeking career advice. I graduated from college in 2005 with a B.S. in Computer Science (programming). I was unable to timely find a job in my field of studies, so I accepted an offer to become an IT Auditor. I’ve been an IT Auditor ever since in two different business environments (banking and government).

Because of my background in programming, I absolutely enjoy undertaking tasks that are related to business analytics, data mining, re-performance, etc. However, my current line of work does not require or provide for that. In addition, I have become greatly interested in security, but while I feel that I am very capable of learning effectively and efficiently, I do not have a strong foundation on networks.

In order to push myself to strive for more, I have looked at the option of becoming CISSP certified. However, I am not sure if the SSCP would be a better choice for me based on my knowledge level.

I am currently CISA certified and know that having another, more technical certification, will better position me in my job or others.

What would you suggest? Thanks in advance for your help.

Sincerely,

Programming My Future

Dear “Programmer”:

The best suggestion that I have for you is not to pursue any certifications for the sake of positioning yourself in your current role or others. The certification alone will not help you, finding an environment where your skills are valued for their unique combination is the best way to further your career.

To begin with you have a degree in Computer Science and a background in programming. Next, you have 5-7 years of real world experience in IT Audit and you are a CISA. On top of that, you have an interest in security, and you have a history of gravitating to more technical projects.

The combination of these skills and your interests are unique. Your skills have a great deal of value to an organization who realizes how to utilize them and leverage them for their benefit.

Recently we have been engaged in a number of searches that are looking to find technical information security professionals to work in IT Audit environments. The primary reason for this is that corporations are recognizing that it is critical for these two business functions to understand each other, and the key to this is to either have audit minded security professionals or technically and security astute IT Auditors.

This being said, it is good that you recognize that your lack of networking experience is a shortcoming and a potential skill gap. My feeling would be for you to find a way to work on developing this skill and knowledge. This could begin by reading some books on the topic, taking some vendor based training, and maybe eventually getting a certification that demonstrates and reinforces this knowledge.

If successful, this may be 2-3 year undertaking. If you begin down this road and it “does not take”, then I would suggest you refocus your energies on you’re the enhancement of your strengths – and maybe learn some new programming languages, application security, code review, or other related skills.

If you are interested in learning about some of these blended opportunities, do not hesitate to contact us at LJ Kushner (lee@ljkushner.com) . If you do so, in your e-mail please mention – Career Advice Tuesday!

Currently I am at the end of a job search. The interviews have gone great, I really like the company, and I am on the verge of becoming a CISO for the first time in my career. For about 95% of the process, I have been on “Cloud Nine”.

Unfortunately, my process may have hit a snag, and I really need your advice to potentially avert a catastrophe.

On the company’s application they asked me to list my current professional certifications. I listed my CISSP and my CISA, which I know are current, but I also listed a couple of technical information security certifications that I received earlier in my career. My assumption was that these certifications were current.

I received a call the other day from the background check company asking me to provide some proof of these certifications. I did some checking, and I do have the actual certificates, however the during my discovery I learned that these certifications have definitely expired.

Here is my issue; technically, I have misrepresented myself on the background check form, which I know speaks to my credibility. At the same time, these certifications are not even applicable to my hiring or the qualifications that this information security leadership role requires.

Do you have any advice on how I should handle this situations, to preserve this opportunity? On one hand I want to come clean and let them know of my oversight, on the other hand, since these certs are secondary, they may not even be verifiable, which would mean I would draw attention to something that will be irrelevant.

If you could let me know, that would be great.

Sincerely,

“Certifiably Expired”

Dear “Expired”:

My advice is simple but it is two-fold. It will be short but sweet.

First of all, “tell the truth”. What you need to do is to be in front of the story and to let them know that you made a mistake, and you want to bring it to their attention. You can let them know that your assumption was that these certifications were granted for life, and to your knowledge you did not need to renew them. If they question your sincerity, you can point to both your CISSP and your CISA, which are both current and in good standing, to demonstrate that renewing your certifications is a standard operating procedure for you. In addition, the fact that you can produce the actual certificate as proof, will at least demonstrate to your new employer and their background check company that you did actually achieve the certification and your initial statement was indeed accurate.

Secondly, whenever you speak about this, and to whomever you discuss it with, make sure that you do not make this a “big deal”. You should not send e-mails, or contact the senior members of the interview team – you should just deal with the background check company – and should do so via the phone, so that nothing can get forwarded to people with decision making authority for your hiring, who may have dogmatic views about this violation/oversight.

If you make it a big deal, it looks like you are attempting to cover it up and you got caught. If you make it like it is just an honest mistake, you may get them to overlook it altogether and it will most likely become a foot note, and not even become an issue.

What can be learned from this is that when filling out an application, less is more. Only include things that are essential and you know your can verify. If you can not be 100% accurate, omit it, you can always complete it at a later date.

I have been working in the IT industry for many years and have been dabbling in the Information Security realm for about 5 years now, but am having a hard time getting the experience I would like

I was recently asked by a friend to help with a side job which required a Security Assessment to be performed. I have never had to perform a Security Assessment so I am a little hesitant making the jump because if I accept the assignment, I want to do it correctly.

I’m not one of those guys that will take the job, if I do not believe I can perform it correctly. I do not want to be put in a position where I do a crappy job due to the fact that I do not know what I am doing.

How do I get the experience I would like, so I can take “jobs” like this one with confidence? I have a good reputation and I want to keep it that way.

Any advice you could give, I would be grateful.

Sincerely,

“Biting Off More Than I Can Chew”

Dear “Big Mouth”:

I agree with your sentiments. You only have one reputation and anything that you do that detracts from your reputation will only stay with you through the course of your career. In the end, your work is a reflection of you, and it eventually will define you and become your “brand”.

I give you a good deal of credit for having the integrity to know that this position maybe beyond your scope of knowledge and “more than you can chew” at this point in your career.

I can offer you a couple of different options –

1) I would ask your friend if you would be open to “sub contracting” the assignment to someone that you trust. If they say that is OK – what you could do is to ask around your network or on Twitter – if anyone is interested in a consulting assignment – with the caveat that if they take the job – that they will let you shadow them on the assignment and teach you. This could be the best way to get practical experience – in essence you can learn – and someone else would get the revenue from the assignment. This would be viewed as quite an even trade!

2) Another option would be to get formalized hands on training. Now, I do realize that if you did take training, you would not be ready for this current assignment – however, with some foresight this could possibly give you the confidence to know that you would do a good job the next time that you get the opportunity to perform this type of work.

The key to this is to get “hands-on” training – not just some certification – that will give you the confidence that you will do the job correctly. Understand that you are doing for yourself, not someone else evaluating the value of the certification and utilizing that to judge your competency. In this case, you need to overcome your fear of failure – practical experience, even in a training or lab environment should enable you to simulate a real world “assessment”. It may not be live – but it is the next best thing.

With the right training, you should be able to do a “good job” on future assessments, and when you do, you can be sure that you will get additional opportunities to practice your craft.

I am about to transition from Military to the Civilian work force. I am a IT Support and Security Professional. I am currently working to gain the CISSP through the SANS Security S+ course. My question is will this class help with gaining the knowledge I “really need” to pass the CISSP and will this help with the progressing in the civilian work force? This course is expensive but it come highly recommended from some of the professionals that I work with. Need some guidance.

Sincerely,

Retiring Soldier

Dear Soldier:

First of all, let me say a big THANK YOU for your service to our country.

As a disclaimer – I am not familiar with the particular topics covered in the SANS Security S+ course – so my answer to your question will be a more general one.

The first thing that I want to say is that I question the concept that you actually “really need” to pass the CISSP to work as an information security professional in the civilian work force. Most of the customers that we support, are more interested in the candidate’s talent – as opposed to their certifications.

I believe that the question that you should be asking yourself is, “Which training class will enable me to develop my skills and make a smoother transition to work in a commercial environment?”

One of the best ways to determine this will be to first understand the foundation of your current skills and the strengths that you can be leverage. Generally speaking, these skills will be more “technical “ in nature – centering on either networking, operating systems, software development, etc. Once you are comfortable with this assessment, you may want to look at a training class that can help supplement these skills – possibly something in the area of incident response, security event management, penetration testing, etc.

In developing these skills and skill combinations, you should be able to place yourself in a professional information security environment that will provide you with some exposure to the “domains of knowledge” encompassed by the “CISSP Certification”. In the context of the job, engaging your peers, the purchase of some relatively cheap study guides, and some initiative you should be able to pass the CISSP (at a substantially lower price point)– if you decide at that this is a worthwhile career investment as you aspire toward your ultimate career destination.